US20030053629A1 - USB authentication interface - Google Patents

USB authentication interface Download PDF

Info

Publication number
US20030053629A1
US20030053629A1 US09/952,924 US95292401A US2003053629A1 US 20030053629 A1 US20030053629 A1 US 20030053629A1 US 95292401 A US95292401 A US 95292401A US 2003053629 A1 US2003053629 A1 US 2003053629A1
Authority
US
United States
Prior art keywords
key
session key
content material
sequence number
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US09/952,924
Inventor
Geert Knapen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Koninklijke Philips NV
Original Assignee
Koninklijke Philips Electronics NV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics NV filed Critical Koninklijke Philips Electronics NV
Priority to US09/952,924 priority Critical patent/US20030053629A1/en
Assigned to KONINKLIJKE PHILIPS ELECTRONICS N.V. reassignment KONINKLIJKE PHILIPS ELECTRONICS N.V. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: KNAPEN, GEERT ARNOLD
Priority to EP02765255A priority patent/EP1430638A2/en
Priority to PCT/IB2002/003792 priority patent/WO2003026198A2/en
Priority to CNA028178815A priority patent/CN1554164A/en
Priority to JP2003529687A priority patent/JP2005503717A/en
Priority to KR10-2004-7003720A priority patent/KR20040031083A/en
Publication of US20030053629A1 publication Critical patent/US20030053629A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/12Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/24Key scheduling, i.e. generating round keys or sub-keys for block encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution

Definitions

  • This invention relates to the field of computing systems, and in particular to computing systems that utilize a cryptographic protocol for communicating protected content material via a Universal Serial Bus (USB).
  • USB Universal Serial Bus
  • a number of standards have been adopted or proposed for encrypting copyright content material, or security items such as tickets that are associated with access to the copyright content material, each time the material is transferred from one device to another.
  • a “compliant” CD-recorder creates a CD that contains a copy of copy-protected material
  • the recording will be cryptographically protected so that only a “compliant” CD-player will be able to render the material.
  • “Compliant” devices are devices that enforce the adopted standard. If the original copy-protected content material has a “copy-once” copy limitation, the compliant CD-recorder will cryptographically mark the copy of this original with a “copy-never” notation.
  • a compliant CD-recorder will recognize this “copy-never” notation and will not create a copy of this copy. If the material is copied by a non-compliant recorder, it will not contain the appropriate cryptographic item, and a compliant recorder or playback device will not record or render this copied material.
  • Compliant devices operate in cooperation with each other to prevent unauthorized access to protected content material using a variety of security techniques.
  • the security techniques are provided to overcome the various schemes used to gain unauthorized access.
  • One technique commonly employed is to encrypt the protected material using a different encryption key each time the material is communicated from one device to another. This unique key is termed the “session” key.
  • This unique-session-key technique requires that the session-key be communicated between the devices, and a secure means is required to transmit this session key.
  • the transmitting device transmits an encrypted parameter or set of parameters that the receiving device can use to determine the session key.
  • This encryption of the parameter is based on a public-key, of a public-private-key-pair that is associated with the receiving device.
  • the receiving device uses the private-key of the public-private-key-pair to decrypt the parameter to generate the session key.
  • the public-private-key-pair is provided to each compliant device by a “trusted authority”.
  • the receiving device communicates the public key to the transmitting device over a public channel, without fear of a compromise of security, because the public key's sole function is to encrypt material for communication to the receiving device; it does not provide any useful information for decrypting material.
  • the transmitting device determines when each new session key will take effect, and transmits this scheduled new-key-start-time to the receiving device.
  • the transmitting device also transmits a prepare-new-key command to the receiving device, to provide a sufficient lead-time for the receiving device to calculate the new session key.
  • Each new key is created using a hash function of a counter index and a set of keys that are determined during an initial key exchange session between the transmitting device and the receiving device.
  • the counter index is incremented at each scheduled new-key-start-time, producing the new session key.
  • FIG. 1 illustrates an example block diagram of an encryption system in accordance with this invention.
  • FIG. 2 illustrates an example block diagram of a decryption system in accordance with this invention.
  • FIG. 3 illustrates an example flow diagram of an encryption system in accordance with this invention.
  • FIG. 1 illustrates an example block diagram of an encryption system 100 in accordance with this invention.
  • the example encryption system 100 is illustrated as having a Universal Serial Bus (USB) transmitter 170 for communicating encrypted content material 191 to a decryption system ( 200 in FIG. 2), although, in view of this disclosure, one of ordinary skill in the art will recognize that the principles presented herein are applicable to other communication protocols as well.
  • USB Universal Serial Bus
  • the encryption system 100 is termed the “host” 100
  • the decryption system 200 is termed the “device” 200 .
  • the host 100 is configured to encrypt content material 180 , via an encrypter 190 that receives an encryption key from a key selector 150 .
  • the encryption key is referred to in FIG. 1 as a “scheduled key” 151 , because, in accordance with this invention, the encryption key that is used to encrypt the content material 180 changes at discrete scheduled times. By changing the key that is used to encrypt the content material, the compromise of one of these keys will have a minimal effect on the security of the content material.
  • a new-key scheduler 110 is configured to trigger 112 the generation of a new key 141 , and to determine the time 111 at which this new key will be utilized as the scheduled key 151 for encrypting the content material 180 at the encrypter 190 .
  • One of the difficulties with providing a scheduled time 111 for effecting an action at both the host 100 and the device 200 is the requirement that both systems 100 , 200 are synchronized to the same time-base.
  • the time-base is selected as an information item that is communicated from the host 100 to the device 200 .
  • the time-base is defined as the “Frame number” of the communicated USB frame.
  • the USB frame number establishes a time reference for all devices on the bus, and is communicated from the host to all devices on the bus every millisecond.
  • the USB frame number consists of an 11-bit number that is contained in the transmitted frame that is incremented each millisecond.
  • similar time or sequence reference items may be utilized to establish a synchronization between the encryption system 100 and decryption system 200 . Note that this common base need not be “time” based. In an asynchronous communication system, the base could be a packet number associated with each communicated packet, a block number associated with each block of data comprising the content material 180 , or each block of encrypted data comprising the encrypted content material 191 , and so on.
  • a key generator 140 corresponds to a modified Needham-Schroeder key generation device.
  • the key generator 140 uses the USB transmitter 170 to exchange random keys with the device 200 , using a conventional Needham-Schroeder key exchange algorithm.
  • Alternative key exchange techniques may be employed as well.
  • FIG. 3 illustrates an example flow diagram for a key exchange and subsequent encryption of content material using changing keys in accordance with this invention.
  • the host ( 100 ) encrypts a host-random-number 312 and a host-random-key 313 using a device-public-key 311 that corresponds to a device-private-key 411 of a public-private (P-p) key pair associated with the device 200 .
  • the device 200 receives this encrypted host-random-number 312 and host-random-key 313 and decrypts them, at 410 , using the device-private-key 411 .
  • the device 200 then encrypts, at 420 , a device-random-number 422 , a device-random-key 423 , and the decrypted host-random-number 312 ′ using a host-public-key 421 that corresponds to a host-private-key 321 of a public-private key pair associated with the host 100 , and communicates it to the host 100 .
  • the host 100 decrypts the device-random-number 422 , the device-random-key 423 , and the re-encrypted host-random-number 312 ′, using the host-private-key 321 .
  • the host 100 By comparing the host-random-number 312 that was transmitted with the decrypted host-random-number 312 ′′ that was received from the device 200 , the host 100 is able to verify that the intended device is the device with which it is communicating. In like manner, the host 100 communicates the decrypted device-random-number 422 ′ to the device 200 , so that the device 200 can verify that the transmitting system is the host that corresponds to the host-public-key 421 .
  • This exchange of random-numbers 312 , 422 precludes a replay attack, wherein an imitation host or device merely replays one end of a recorded prior key exchange.
  • the aforementioned public-private key pairs are issued and certified by a “trusted authority”. That is, to prevent a non-compliant device from imitating a compliant device, the compliant device 200 sends its public key 311 to the host 100 along with a “certification” of the public key 311 by the trusted authority that issued the keys to the compliant device 200 .
  • the certification is an encryption that is based on a private-key of the trusted authority.
  • the host decrypts the encryption based on the public-key of the trusted authority, and verifies that it corresponds to the provided public-key 311 of the receiving device 200 .
  • the host 100 communicates its public key 421 to the device 200 along with a certification from the trusted authority for verification by the host 100 . Also in a preferred embodiment, both the host 100 and device 200 have access to lists of revoked device or host keys.
  • each system 100 , 200 has knowledge of one or more secure keys.
  • the secure “keys” may be key-parameters that are used to generate the keys that are actually used within the cryptographic modules; for ease of reference, the term “key” is used herein to include such key-parameters.
  • each system 100 , 200 has knowledge of the host-random-key 313 or 313 ′ and the device-random-key 423 or 423 ′, and an eavesdropper to the key exchange will not have this knowledge.
  • the new key scheduler 110 of FIG. 1 is configured to trigger 112 the generation of new keys as the content material 180 is being encrypted.
  • each new key is created by hashing, at 350 and 450 of FIG. 3, a changing index 341 , 351 with the one or more secure keys 313 , 313 ′, 423 , 423 ′ that were obtained via an original key exchange.
  • the hashing function 350 , 450 in a preferred embodiment is cryptographically robust, in that the amount of time required to “un-hash” the factors used to produce the hash value is substantially greater than the time required to produce the hash value from the given factors.
  • a knowledge of the index 341 , 351 does not provide an advantage in trying to deduce a new hash key value from a prior hash key value.
  • a preferred embodiment of this invention utilizes a simple increment, or counting, function, to facilitate a new-key generation having minimal overhead.
  • the new-key scheduler 110 triggers a counter 130 that provides a count value to the key generator 140 as the aforementioned index 341 that is hashed with one or more secure keys, and optionally other keys known to both the host and device, to produce the new-key 141 .
  • This new-key 141 is used to encrypt the next-key-start parameter 111 for transmission to the device 200 , via the USB transmitter 170 .
  • this encryption via the encrypter 120 , provides an added level of security.
  • the next-key-start parameter 111 may be communicated in the clear, or secured by the prior key, and so on.
  • next-key-start parameter 111 is sufficiently far in the future to allow the device 200 to compute a corresponding new-key ( 241 in FIG. 2) before the encrypted content 191 that is encrypted with this new-key 141 is received by the device 200 .
  • the communication of the next-key-start parameter 111 from the host 100 to the receiver 200 constitutes the synchronization 345 between the index generators 340 , 440 of FIG. 3.
  • the encrypted next-key-start 121 is received by the USB receiver 270 and provided to a decrypter 220 .
  • the decrypter 220 generates a trigger signal 221 upon receipt of the encrypted next-key-start 121 , to trigger the production of a new key 251 by the key generator 240 .
  • the host 100 transmits a “prepare-next-key” command, before it transmits the encrypted next-key start 121 , to cause the trigger signal 221 , thereby providing additional preparation time for the device 200 to generate the new-key 251 .
  • the device 200 includes a similar counter 230 and key generator 240 as in the host 100 to generate the same new-key as in the host 100 ( 351 , 451 in FIG. 3) based on a hash of the secure keys and the index ( 441 in FIG. 3) provided by the counter 230 .
  • the USB protocol allows for an isosynchronous communication mode, wherein the application using this mode is assured a minimal bandwidth.
  • the scheduled next-key-start 111 corresponds to a future frame sequence number.
  • the sequence controller 160 and key selector 150 are configured to provide the new-key 141 as the scheduled key 151 such that the encrypted content 191 that is encoded by the prior key is completely transmitted before the scheduled frame number, and the encrypted content 191 that is encrypted by this new-key 141 is transmitted by the USB transmitter 170 at or after the scheduled frame number.
  • the decrypter 220 in the device 200 provides this next-key-start parameter 111 ′ to the key selector 250 .
  • the USB receiver 270 communicates each frame sequence number 271 to the key selector 250 .
  • the key selector 250 When the sequence number 271 equals or exceeds the next-key-start parameter 111 ′, the key selector 250 provides the new-key 251 as the scheduled key 151 ′.
  • the decrypter 290 decrypts the encrypted content material 191 based on the scheduled key 151 ′ to produce the decrypted content material 180 ′, corresponding (if the secure keys correspond) to the transmitted content material 180 .
  • the host 100 and device 200 can be configured to utilize a new key with each USB frame, or at a predetermined interval of USB frames, obviating the need to communicate a next-key start parameter 111 from the host 100 to the device 200 .
  • the USB frame number 161 can be utilized directly as the index 341 , 441 that is hashed with the secure keys to produce the new-key 141 , 241 .

Abstract

A sequence of transmissions is encrypted as a set of sub-sequences, each sub-sequence having a different session key. The transmitting device determines when each new session key will take effect, and transmits this scheduled new-key-start-time to the receiving device. In a preferred embodiment, the transmitting device also transmits a prepare-new-key command to the receiving device, to provide a sufficient lead-time for the receiving device to calculate the new session key. Each new key is created using a hash function of a counter index and a set of keys that are determined during an initial key exchange session between the transmitting device and the receiving device. The counter index is incremented at each scheduled new-key-start-time, producing the new session key.

Description

    BACKGROUND OF THE INVENTION
  • 1. Field of the Invention [0001]
  • This invention relates to the field of computing systems, and in particular to computing systems that utilize a cryptographic protocol for communicating protected content material via a Universal Serial Bus (USB). [0002]
  • 2. Description of Related Art [0003]
  • The use of cryptography for encoding electronic content material continues to increase. In the entertainment field, digital audio and video recordings are encrypted to protect the material from unauthorized copying. In the communications field, documents are encrypted to prevent unauthorized viewing, and encrypted certificates are used to verify the authenticity of a document. [0004]
  • A number of standards have been adopted or proposed for encrypting copyright content material, or security items such as tickets that are associated with access to the copyright content material, each time the material is transferred from one device to another. For example, when a “compliant” CD-recorder creates a CD that contains a copy of copy-protected material, the recording will be cryptographically protected so that only a “compliant” CD-player will be able to render the material. “Compliant” devices are devices that enforce the adopted standard. If the original copy-protected content material has a “copy-once” copy limitation, the compliant CD-recorder will cryptographically mark the copy of this original with a “copy-never” notation. A compliant CD-recorder will recognize this “copy-never” notation and will not create a copy of this copy. If the material is copied by a non-compliant recorder, it will not contain the appropriate cryptographic item, and a compliant recorder or playback device will not record or render this copied material. [0005]
  • Compliant devices operate in cooperation with each other to prevent unauthorized access to protected content material using a variety of security techniques. The security techniques are provided to overcome the various schemes used to gain unauthorized access. One technique commonly employed is to encrypt the protected material using a different encryption key each time the material is communicated from one device to another. This unique key is termed the “session” key. This unique-session-key technique, however, requires that the session-key be communicated between the devices, and a secure means is required to transmit this session key. Typically, the transmitting device transmits an encrypted parameter or set of parameters that the receiving device can use to determine the session key. This encryption of the parameter is based on a public-key, of a public-private-key-pair that is associated with the receiving device. The receiving device uses the private-key of the public-private-key-pair to decrypt the parameter to generate the session key. Typically, the public-private-key-pair is provided to each compliant device by a “trusted authority”. The receiving device communicates the public key to the transmitting device over a public channel, without fear of a compromise of security, because the public key's sole function is to encrypt material for communication to the receiving device; it does not provide any useful information for decrypting material. [0006]
  • Despite these security measures, a variety of illicit attacks are commonly known than can be used to defeat these security measures. A number of these attacks often involve “replay” scenarios, wherein the attacker records prior communications between compliant devices and replays the communications to one or both of the compliant devices at a later session to convince one or both of the devices that the attacker's device is an authorized compliant device. Although techniques and protocols are available to defeat replay attacks, such as the Needham-Schroeder protocol, these protocols remain vulnerable to a compromise of the session key. [0007]
    • BRIEF SUMMARY OF THE INVENTION
  • It is an object of this invention to provide a secure means for transferring content material from one device to another. It is a further object of this invention to provide a secure means of transferring content material that provides protection against a compromise of the session key. [0008]
  • These objects and others are achieved by encrypting a sequence of transmissions as a set of sub-sequences, each sub-sequence having a different session key. The transmitting device determines when each new session key will take effect, and transmits this scheduled new-key-start-time to the receiving device. In a preferred embodiment, the transmitting device also transmits a prepare-new-key command to the receiving device, to provide a sufficient lead-time for the receiving device to calculate the new session key. Each new key is created using a hash function of a counter index and a set of keys that are determined during an initial key exchange session between the transmitting device and the receiving device. The counter index is incremented at each scheduled new-key-start-time, producing the new session key.[0009]
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The invention is explained in further detail, and by way of example, with reference to the accompanying drawings wherein: [0010]
  • FIG. 1 illustrates an example block diagram of an encryption system in accordance with this invention. [0011]
  • FIG. 2 illustrates an example block diagram of a decryption system in accordance with this invention. [0012]
  • FIG. 3 illustrates an example flow diagram of an encryption system in accordance with this invention.[0013]
  • Throughout the drawings, the same reference numerals indicate similar or corresponding features or functions. [0014]
    • DETAILED DESCRIPTION OF THE INVENTION
  • FIG. 1 illustrates an example block diagram of an [0015] encryption system 100 in accordance with this invention. The example encryption system 100 is illustrated as having a Universal Serial Bus (USB) transmitter 170 for communicating encrypted content material 191 to a decryption system (200 in FIG. 2), although, in view of this disclosure, one of ordinary skill in the art will recognize that the principles presented herein are applicable to other communication protocols as well. For ease of reference, and consistent with the USB protocol terminology, the encryption system 100 is termed the “host” 100, and the decryption system 200 is termed the “device” 200.
  • The [0016] host 100 is configured to encrypt content material 180, via an encrypter 190 that receives an encryption key from a key selector 150. The encryption key is referred to in FIG. 1 as a “scheduled key” 151, because, in accordance with this invention, the encryption key that is used to encrypt the content material 180 changes at discrete scheduled times. By changing the key that is used to encrypt the content material, the compromise of one of these keys will have a minimal effect on the security of the content material.
  • A new-[0017] key scheduler 110 is configured to trigger 112 the generation of a new key 141, and to determine the time 111 at which this new key will be utilized as the scheduled key 151 for encrypting the content material 180 at the encrypter 190. One of the difficulties with providing a scheduled time 111 for effecting an action at both the host 100 and the device 200, however, is the requirement that both systems 100, 200 are synchronized to the same time-base. In a preferred embodiment of this invention, the time-base is selected as an information item that is communicated from the host 100 to the device 200. In the context of the illustrated USB protocol embodiment, the time-base is defined as the “Frame number” of the communicated USB frame. The USB frame number establishes a time reference for all devices on the bus, and is communicated from the host to all devices on the bus every millisecond. The USB frame number consists of an 11-bit number that is contained in the transmitted frame that is incremented each millisecond. In the context of other protocols, similar time or sequence reference items may be utilized to establish a synchronization between the encryption system 100 and decryption system 200. Note that this common base need not be “time” based. In an asynchronous communication system, the base could be a packet number associated with each communicated packet, a block number associated with each block of data comprising the content material 180, or each block of encrypted data comprising the encrypted content material 191, and so on.
  • In a preferred embodiment, a [0018] key generator 140 corresponds to a modified Needham-Schroeder key generation device. Not illustrated, the key generator 140 uses the USB transmitter 170 to exchange random keys with the device 200, using a conventional Needham-Schroeder key exchange algorithm. Alternative key exchange techniques may be employed as well.
  • FIG. 3 illustrates an example flow diagram for a key exchange and subsequent encryption of content material using changing keys in accordance with this invention. At [0019] 310, the host (100) encrypts a host-random-number 312 and a host-random-key 313 using a device-public-key 311 that corresponds to a device-private-key 411 of a public-private (P-p) key pair associated with the device 200. The device 200 receives this encrypted host-random-number 312 and host-random-key 313 and decrypts them, at 410, using the device-private-key 411. The device 200 then encrypts, at 420, a device-random-number 422, a device-random-key 423, and the decrypted host-random-number 312′ using a host-public-key 421 that corresponds to a host-private-key 321 of a public-private key pair associated with the host 100, and communicates it to the host 100. The host 100 decrypts the device-random-number 422, the device-random-key 423, and the re-encrypted host-random-number 312′, using the host-private-key 321. By comparing the host-random-number 312 that was transmitted with the decrypted host-random-number 312″ that was received from the device 200, the host 100 is able to verify that the intended device is the device with which it is communicating. In like manner, the host 100 communicates the decrypted device-random-number 422′ to the device 200, so that the device 200 can verify that the transmitting system is the host that corresponds to the host-public-key 421. This exchange of random- numbers 312, 422 precludes a replay attack, wherein an imitation host or device merely replays one end of a recorded prior key exchange.
  • As is common in the art, but not illustrated, the aforementioned public-private key pairs are issued and certified by a “trusted authority”. That is, to prevent a non-compliant device from imitating a compliant device, the [0020] compliant device 200 sends its public key 311 to the host 100 along with a “certification” of the public key 311 by the trusted authority that issued the keys to the compliant device 200. The certification is an encryption that is based on a private-key of the trusted authority. The host decrypts the encryption based on the public-key of the trusted authority, and verifies that it corresponds to the provided public-key 311 of the receiving device 200. In like manner, the host 100 communicates its public key 421 to the device 200 along with a certification from the trusted authority for verification by the host 100. Also in a preferred embodiment, both the host 100 and device 200 have access to lists of revoked device or host keys.
  • At the completion of a key exchange, each [0021] system 100, 200 has knowledge of one or more secure keys. As is common in the art, the secure “keys” may be key-parameters that are used to generate the keys that are actually used within the cryptographic modules; for ease of reference, the term “key” is used herein to include such key-parameters. In the example key exchange of FIG. 3, each system 100, 200 has knowledge of the host-random- key 313 or 313′ and the device-random- key 423 or 423′, and an eavesdropper to the key exchange will not have this knowledge. As discussed above, the new key scheduler 110 of FIG. 1 is configured to trigger 112 the generation of new keys as the content material 180 is being encrypted. Although a new key-exchange session 310-410-320-420-330-430, detailed above, could be initiated upon receipt of each trigger 112 from the new key scheduler 110, such an approach would incur a significant amount of overhead with each new-key generation. In a preferred embodiment, each new key is created by hashing, at 350 and 450 of FIG. 3, a changing index 341, 351 with the one or more secure keys 313, 313′, 423, 423′ that were obtained via an original key exchange. The hashing function 350, 450 in a preferred embodiment is cryptographically robust, in that the amount of time required to “un-hash” the factors used to produce the hash value is substantially greater than the time required to produce the hash value from the given factors. Thus, a knowledge of the index 341, 351 does not provide an advantage in trying to deduce a new hash key value from a prior hash key value. Because a knowledge of the index 341, 351 does not provide a security advantage, a preferred embodiment of this invention utilizes a simple increment, or counting, function, to facilitate a new-key generation having minimal overhead.
  • As illustrated in FIG. 1, the new-[0022] key scheduler 110 triggers a counter 130 that provides a count value to the key generator 140 as the aforementioned index 341 that is hashed with one or more secure keys, and optionally other keys known to both the host and device, to produce the new-key 141. This new-key 141 is used to encrypt the next-key-start parameter 111 for transmission to the device 200, via the USB transmitter 170. As would be evident to one of ordinary skill in the art, this encryption, via the encrypter 120, provides an added level of security. Alternatively, albeit less secure, the next-key-start parameter 111 may be communicated in the clear, or secured by the prior key, and so on. In a preferred embodiment, the next-key-start parameter 111 is sufficiently far in the future to allow the device 200 to compute a corresponding new-key (241 in FIG. 2) before the encrypted content 191 that is encrypted with this new-key 141 is received by the device 200. The communication of the next-key-start parameter 111 from the host 100 to the receiver 200 constitutes the synchronization 345 between the index generators 340, 440 of FIG. 3.
  • As illustrated in FIG. 2, the encrypted next-key-[0023] start 121 is received by the USB receiver 270 and provided to a decrypter 220. The decrypter 220 generates a trigger signal 221 upon receipt of the encrypted next-key-start 121, to trigger the production of a new key 251 by the key generator 240. Alternatively, in a preferred embodiment, the host 100 transmits a “prepare-next-key” command, before it transmits the encrypted next-key start 121, to cause the trigger signal 221, thereby providing additional preparation time for the device 200 to generate the new-key 251. The device 200 includes a similar counter 230 and key generator 240 as in the host 100 to generate the same new-key as in the host 100 (351, 451 in FIG. 3) based on a hash of the secure keys and the index (441 in FIG. 3) provided by the counter 230.
  • The USB protocol allows for an isosynchronous communication mode, wherein the application using this mode is assured a minimal bandwidth. In accordance with this invention, the scheduled next-key-[0024] start 111 corresponds to a future frame sequence number. The sequence controller 160 and key selector 150 are configured to provide the new-key 141 as the scheduled key 151 such that the encrypted content 191 that is encoded by the prior key is completely transmitted before the scheduled frame number, and the encrypted content 191 that is encrypted by this new-key 141 is transmitted by the USB transmitter 170 at or after the scheduled frame number. The decrypter 220 in the device 200 provides this next-key-start parameter 111′ to the key selector 250. The USB receiver 270 communicates each frame sequence number 271 to the key selector 250. When the sequence number 271 equals or exceeds the next-key-start parameter 111′, the key selector 250 provides the new-key 251 as the scheduled key 151′. The decrypter 290 decrypts the encrypted content material 191 based on the scheduled key 151′ to produce the decrypted content material 180′, corresponding (if the secure keys correspond) to the transmitted content material 180.
  • The foregoing merely illustrates the principles of the invention. It will thus be appreciated that those skilled in the art will be able to devise various arrangements which, although not explicitly described or shown herein, embody the principles of the invention and are thus within its spirit and scope. For example, to minimize the complexity of the embodiment, the [0025] host 100 and device 200 can be configured to utilize a new key with each USB frame, or at a predetermined interval of USB frames, obviating the need to communicate a next-key start parameter 111 from the host 100 to the device 200. Independently, or in combination with this periodic key-change, the USB frame number 161 can be utilized directly as the index 341, 441 that is hashed with the secure keys to produce the new-key 141, 241. These and other system configuration and optimization features will be evident to one of ordinary skill in the art in view of this disclosure, and are included within the scope of the following claims.

Claims (17)

I claim:
1. A method for communicating content material from a transmitter comprising:
determining a first session key, a second session key, and a scheduled start sequence number associated with the second session key,
encrypting a first portion of the content material based on the first session key to form a first sequence of encrypted content material for communication to a receiver before the scheduled start sequence number associated with the second session key,
communicating the scheduled start sequence number associated with the second session key to the receiver, and
encrypting a second portion of the content material based on the second session key to form a second sequence of encrypted content material for communication to the receiver at and after the scheduled start sequence number associated with the second session key.
2. The method of claim 1, further including:
receiving a key from the intended receiver, and wherein
determining the first session key and the second session key is based upon the key that is received from the intended receiver.
3. The method of claim 2, wherein
determining the first session key and the second session key is based upon a Needham-Schroeder public key exchange protocol.
4. The method of claim 1, wherein
the first session key corresponds to a first hash value that is based on a host key that is associated with the transmitter, a device key that is associated with the receiver, and a first index value, and
the second session key corresponds to a second hash value that is based on the host key, the device key, and a second index value.
5. The method of claim 4, wherein
the first hash value and the second hash value are further based on a second host key and a second device key.
6. The method of claim 1, wherein
the first sequence and second sequence of encrypted content material comprise sequences of frames that are communicated in accordance with a Universal Serial Bus (USB) protocol, and
the scheduled start sequence number corresponds to a USB frame number.
7. An encryption system that is configured to encrypt content material to provide encrypted content material for transmission to a decryption system comprising:
an encrypter that is configured to:
encrypt a first portion of the content material based on a first session key to form a first encrypted sequence,
encrypt a second portion of the content material based on a second session key to form a second encrypted sequence having a starting sequence number, and
a transmitter that is configured to
transmit the starting sequence number, the first encrypted sequence, and the second encrypted sequence to the decryption system.
8. The encryption system of claim 7, further including:
a key generator that is configured to provide the first session key and the second session key based on at least one key that is intended to be known to the encryption system and the decryption system only.
9. The encryption system of claim 8, wherein
the at least one key that is intended to be known to the encryption system and the decryption system only is communicated between the encryption system and the decryption system via a Needham-Schroeder key-exchange algorithm.
10. The encryption system of claim 8, wherein
the key generator is further configured to provide:
the first session key based on a hash of the at least one key and a first index value, and
the second session key based on the hash of the at least one key and a second index value.
11. The encryption system of claim 7, wherein
the transmitter is further configured to transmit the starting sequence number, the first encrypted sequence, and the second encrypted sequence based on a Universal Serial Bus (USB) protocol, and
the starting sequence number corresponds to a USB frame number.
12. The encryption system of claim 7, wherein
the transmitter is further configured to transmit the starting sequence number as an encrypted starting sequence number.
13. A decryption system comprising
a receiver that is configured to receive encrypted content material and a starting sequence number from an encryption system, and
a decrypted that is configured to
decrypt a first sequence of the encrypted content material before the starting sequence number based on a first session key, and
decrypt a second sequence of the encrypted content material at and after the starting sequence number based on a second session key.
14. The decryption system of claim 13, further including:
a key generator that is configured to provide the first session key and the second session key based on at least one key that is intended to be known to the encryption system and the decryption system only.
15. The encryption system of claim 14, wherein
the at least one key that is intended to be known to the encryption system and the decryption system only is communicated between the encryption system and the decryption system via a Needham-Schroeder key-exchange algorithm.
16. The encryption system of claim 14, wherein
the key generator is further configured to provide:
the first session key based on a hash of the at least one key and a first index value, and
the second session key based on the hash of the at least one key and a second index value.
17. The encryption system of claim 13, wherein
the receiver is further configured to receive the starting sequence number and the encrypted content material based on a Universal Serial Bus (USB) protocol, and
the starting sequence number corresponds to a USB frame number.
US09/952,924 2001-09-14 2001-09-14 USB authentication interface Abandoned US20030053629A1 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
US09/952,924 US20030053629A1 (en) 2001-09-14 2001-09-14 USB authentication interface
EP02765255A EP1430638A2 (en) 2001-09-14 2002-09-13 Usb authentication interface
PCT/IB2002/003792 WO2003026198A2 (en) 2001-09-14 2002-09-13 Usb authentication interface
CNA028178815A CN1554164A (en) 2001-09-14 2002-09-13 USB authentication interface
JP2003529687A JP2005503717A (en) 2001-09-14 2002-09-13 USB authentication interface
KR10-2004-7003720A KR20040031083A (en) 2001-09-14 2002-09-13 USB authentication interface

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US09/952,924 US20030053629A1 (en) 2001-09-14 2001-09-14 USB authentication interface

Publications (1)

Publication Number Publication Date
US20030053629A1 true US20030053629A1 (en) 2003-03-20

Family

ID=25493360

Family Applications (1)

Application Number Title Priority Date Filing Date
US09/952,924 Abandoned US20030053629A1 (en) 2001-09-14 2001-09-14 USB authentication interface

Country Status (6)

Country Link
US (1) US20030053629A1 (en)
EP (1) EP1430638A2 (en)
JP (1) JP2005503717A (en)
KR (1) KR20040031083A (en)
CN (1) CN1554164A (en)
WO (1) WO2003026198A2 (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050154896A1 (en) * 2003-09-22 2005-07-14 Mathias Widman Data communication security arrangement and method
US20060101288A1 (en) * 2002-10-31 2006-05-11 Bernard Smeets Secure implementation and utilization of device-specific security data
US20060104440A1 (en) * 2002-10-30 2006-05-18 Alain Durand Simplified method for renewing symmetrical keys in a digital network
US20070198856A1 (en) * 2000-01-06 2007-08-23 Super Talent Electronics Inc. Secure Flash-Memory Card Reader with Host-Encrypted Data on a Flash-Controller-Mastered Bus Parallel to a Local CPU Bus Carrying Encrypted Hashed Password and User ID
US20090070586A1 (en) * 2006-02-09 2009-03-12 Wolfgang Bucker Method, Device and Computer Program Product for the Encoded Transmission of Media Data Between the Media Server and the Subscriber Terminal
WO2009146729A1 (en) * 2008-06-06 2009-12-10 Telefonaktiebolaget Lm Ericsson (Publ) Cryptographic key generation
US20120159173A1 (en) * 2010-12-21 2012-06-21 General Instrument Corporation Service key delivery system
EP2633464A1 (en) * 2010-10-29 2013-09-04 Nokia Corp. Software authentication
US9251381B1 (en) * 2006-06-27 2016-02-02 Western Digital Technologies, Inc. Solid-state storage subsystem security solution
GB2530258A (en) * 2014-09-15 2016-03-23 Mastercard International Inc Authentication of communications
DE102015209368A1 (en) * 2015-05-21 2016-11-24 Siemens Aktiengesellschaft Derive a cryptographic key of a predefined key generation
US10248578B2 (en) 2002-06-28 2019-04-02 Microsoft Technology Licensing, Llc Methods and systems for protecting data in USB systems
US20190294764A1 (en) * 2018-03-21 2019-09-26 Elitegroup Computer Systems Co.,Ltd. Method for remotely authorizing login to a computer system
US10873460B2 (en) * 2015-12-10 2020-12-22 SZ DJI Technology Co., Ltd. UAV authentication method and system
US20230319026A1 (en) * 2022-03-31 2023-10-05 Lenovo (United States) Inc. Adding devices to a network via a zero-knowledge protocol

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1690365A1 (en) * 2003-10-16 2006-08-16 Matsushita Electric Industrial Co., Ltd. Encrypted communication system and communication device
CN101102552B (en) * 2007-08-16 2012-12-19 中兴通讯股份有限公司 Update method and system for service secret key
CN101616148B (en) * 2009-07-31 2013-04-24 北京握奇数据系统有限公司 Internet transaction identity authentication method and device
CN102438240B (en) * 2011-12-13 2015-04-29 西安交通大学 Smart grid wireless communication encryption method based on dynamic key
KR101959738B1 (en) 2012-05-24 2019-03-19 삼성전자 주식회사 Apparatus for generating secure key using device ID and user authentication information
US9202041B2 (en) * 2013-02-07 2015-12-01 Fairchild Semiconductor Corporation Permanent lockout attack detection

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5216715A (en) * 1989-06-16 1993-06-01 Siemens Aktiengesellschaft Key distribution in public communication networks taking account of security gradations
US5515439A (en) * 1993-12-03 1996-05-07 International Business Machines Corporation Exchange certificate for one way validation of information
US5659615A (en) * 1994-11-14 1997-08-19 Hughes Electronics Secure satellite receive-only local area network with address filter
US5805705A (en) * 1996-01-29 1998-09-08 International Business Machines Corporation Synchronization of encryption/decryption keys in a data communication network
US5958020A (en) * 1997-10-29 1999-09-28 Vlsi Technology, Inc. Real time event determination in a universal serial bus system
US20010007127A1 (en) * 1999-12-10 2001-07-05 Staring Antonius A.M. Synchronization of session keys
US6550011B1 (en) * 1998-08-05 2003-04-15 Hewlett Packard Development Company, L.P. Media content protection utilizing public key cryptography
US6804453B1 (en) * 1999-05-13 2004-10-12 Hitachi, Ltd. Digital signal recording/reproducing apparatus
US6842611B2 (en) * 2000-04-06 2005-01-11 Samsung Electronics Co., Ltd. Received data processing method in communication device for supporting bluetooth wireless communication

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100290729B1 (en) * 1998-01-07 2001-05-15 클라크 3세 존 엠. Apparatus and method of transmitting and receiving usb isochronous data
US6636968B1 (en) * 1999-03-25 2003-10-21 Koninklijke Philips Electronics N.V. Multi-node encryption and key delivery
EP1104213A3 (en) * 1999-11-29 2003-05-21 Philips Intellectual Property & Standards GmbH Wireless network with key change procedure
US7242772B1 (en) * 2000-09-07 2007-07-10 Eastman Kodak Company Encryption apparatus and method for synchronizing multiple encryption keys with a data stream

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5216715A (en) * 1989-06-16 1993-06-01 Siemens Aktiengesellschaft Key distribution in public communication networks taking account of security gradations
US5515439A (en) * 1993-12-03 1996-05-07 International Business Machines Corporation Exchange certificate for one way validation of information
US5659615A (en) * 1994-11-14 1997-08-19 Hughes Electronics Secure satellite receive-only local area network with address filter
US5805705A (en) * 1996-01-29 1998-09-08 International Business Machines Corporation Synchronization of encryption/decryption keys in a data communication network
US5958020A (en) * 1997-10-29 1999-09-28 Vlsi Technology, Inc. Real time event determination in a universal serial bus system
US6550011B1 (en) * 1998-08-05 2003-04-15 Hewlett Packard Development Company, L.P. Media content protection utilizing public key cryptography
US6804453B1 (en) * 1999-05-13 2004-10-12 Hitachi, Ltd. Digital signal recording/reproducing apparatus
US20010007127A1 (en) * 1999-12-10 2001-07-05 Staring Antonius A.M. Synchronization of session keys
US6842611B2 (en) * 2000-04-06 2005-01-11 Samsung Electronics Co., Ltd. Received data processing method in communication device for supporting bluetooth wireless communication

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070198856A1 (en) * 2000-01-06 2007-08-23 Super Talent Electronics Inc. Secure Flash-Memory Card Reader with Host-Encrypted Data on a Flash-Controller-Mastered Bus Parallel to a Local CPU Bus Carrying Encrypted Hashed Password and User ID
US7814337B2 (en) * 2000-01-06 2010-10-12 Super Talent Electronics, Inc. Secure flash-memory card reader with host-encrypted data on a flash-controller-mastered bus parallel to a local CPU bus carrying encrypted hashed password and user ID
US10248578B2 (en) 2002-06-28 2019-04-02 Microsoft Technology Licensing, Llc Methods and systems for protecting data in USB systems
US8369524B2 (en) * 2002-10-30 2013-02-05 Thomson Licensing Simplified method for renewing symmetrical keys in a digital network
US20060104440A1 (en) * 2002-10-30 2006-05-18 Alain Durand Simplified method for renewing symmetrical keys in a digital network
US7861097B2 (en) * 2002-10-31 2010-12-28 Telefonaktiebolaget Lm Ericsson (Publ) Secure implementation and utilization of device-specific security data
US20060101288A1 (en) * 2002-10-31 2006-05-11 Bernard Smeets Secure implementation and utilization of device-specific security data
US20050154896A1 (en) * 2003-09-22 2005-07-14 Mathias Widman Data communication security arrangement and method
US20090070586A1 (en) * 2006-02-09 2009-03-12 Wolfgang Bucker Method, Device and Computer Program Product for the Encoded Transmission of Media Data Between the Media Server and the Subscriber Terminal
US9251381B1 (en) * 2006-06-27 2016-02-02 Western Digital Technologies, Inc. Solid-state storage subsystem security solution
EP2528268A1 (en) * 2008-06-06 2012-11-28 Telefonaktiebolaget LM Ericsson Cyptographic key generation
US8340288B2 (en) 2008-06-06 2012-12-25 Telefonaktiebolaget Lm Ericsson (Publ) Cryptographic key generation
US9326142B2 (en) 2008-06-06 2016-04-26 Telefonaktiebolaget L M Ericsson (Publ) Cryptographic key generation
EP2658163A1 (en) * 2008-06-06 2013-10-30 Telefonaktiebolaget L M Ericsson (Publ) Cryptographic key generation
US20110091036A1 (en) * 2008-06-06 2011-04-21 Telefonaktiebolaget Lm Ericsson (Publ) Cryptographic Key Generation
US8953793B2 (en) 2008-06-06 2015-02-10 Telefonaktiebolaget L M Ericsson (Publ) Cryptographic key generation
WO2009146729A1 (en) * 2008-06-06 2009-12-10 Telefonaktiebolaget Lm Ericsson (Publ) Cryptographic key generation
EP2633464A1 (en) * 2010-10-29 2013-09-04 Nokia Corp. Software authentication
EP2633464A4 (en) * 2010-10-29 2014-08-20 Nokia Corp Software authentication
US20120159173A1 (en) * 2010-12-21 2012-06-21 General Instrument Corporation Service key delivery system
US8873760B2 (en) * 2010-12-21 2014-10-28 Motorola Mobility Llc Service key delivery system
GB2530258A (en) * 2014-09-15 2016-03-23 Mastercard International Inc Authentication of communications
DE102015209368A1 (en) * 2015-05-21 2016-11-24 Siemens Aktiengesellschaft Derive a cryptographic key of a predefined key generation
US10873460B2 (en) * 2015-12-10 2020-12-22 SZ DJI Technology Co., Ltd. UAV authentication method and system
US20190294764A1 (en) * 2018-03-21 2019-09-26 Elitegroup Computer Systems Co.,Ltd. Method for remotely authorizing login to a computer system
US20230319026A1 (en) * 2022-03-31 2023-10-05 Lenovo (United States) Inc. Adding devices to a network via a zero-knowledge protocol

Also Published As

Publication number Publication date
JP2005503717A (en) 2005-02-03
EP1430638A2 (en) 2004-06-23
KR20040031083A (en) 2004-04-09
WO2003026198A3 (en) 2003-10-23
CN1554164A (en) 2004-12-08
WO2003026198A2 (en) 2003-03-27

Similar Documents

Publication Publication Date Title
US20030053629A1 (en) USB authentication interface
US7813512B2 (en) Encrypted communication system and communication device
US6542610B2 (en) Content protection for digital transmission systems
JP4714402B2 (en) Secure transmission of digital data from an information source to a receiver
KR101366243B1 (en) Method for transmitting data through authenticating and apparatus therefor
US20030123667A1 (en) Method for encryption key generation
EP1271875A1 (en) Device arranged for exchanging data, and method of manufacturing
EP2461564A1 (en) Key transport protocol
MXPA06010776A (en) Authentication between device and portable storage.
US7860254B2 (en) Computer system security via dynamic encryption
US7506376B2 (en) Copy protection method for digital media
JP2006527955A (en) Improved safety-certified channel
EP1120934B1 (en) Method and apparatus for key distribution using a key base
JP4379031B2 (en) Information transmission method and information transmitting apparatus and information receiving apparatus used therefor
KR20070096023A (en) Secure host interface
EP1145243A2 (en) Copy protection by message encryption
US6940977B1 (en) Digital video and audio data encryption, decryption and system authentication
JP2000295208A (en) Contents transfer/storage method, its device and program recording medium
WO2007043014A1 (en) Method of encrypted communication using a keystream
US7327845B1 (en) Transmission of encrypted messages between a transmitter and a receiver utilizing a one-time cryptographic pad
KR100763464B1 (en) Method of exchanging secret key for secured communication
JP2008259042A (en) Information protection system
JP3931497B2 (en) Information transfer system
CN117728935A (en) Method and system for issuing digital certificate
KR20120082761A (en) Method for protecting the digital contents between player and cartridges

Legal Events

Date Code Title Description
AS Assignment

Owner name: KONINKLIJKE PHILIPS ELECTRONICS N.V., NETHERLANDS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:KNAPEN, GEERT ARNOLD;REEL/FRAME:012181/0125

Effective date: 20010914

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION